Labsco
HrRodan logo

Secure Agent Workspace

โ˜… 1

from HrRodan

A sandboxed, agentic workspace providing secure filesystem, bash, and uv-powered Python execution.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredNeeds API keys

๐Ÿ›ก๏ธ Agent Workspace MCP Server

CI License: MIT Python 3.14+

A unified Model Context Protocol (MCP) server providing a highly secure, containerized workspace for Large Language Models (LLMs). It acts as an isolated "agentic playground" where agents can autonomously code, test, and debug without risking the host machine.


โœจ Features

  • ๐Ÿ—๏ธ Full Project Lifecycle: Bootstrap projects with uv init, manage dependencies with uv add, and execute via uv run.
  • ๐Ÿš Secure Bash Access: Execute shell commands with mandatory timeouts and merged output streams.
  • ๐Ÿš€ Token-Optimized Output: Integrates RTK (Rust Token Killer) to automatically filter and compress run_bash outputs (like ls, git, and test runners), saving 60-90% of LLM context tokens.
  • ๐Ÿ“‚ Robust Filesystem: Path-traversal protected operations for reading, writing, and searching the workspace.
  • ๐Ÿ›ก๏ธ Multi-Layer Security: Non-root execution, dropped capabilities, resource limits, and a read-only root filesystem.
  • โšก Precision Editing: Advanced search_and_replace with fuzzy whitespace matching, indentation preservation, dry-run support, and syntax validation for Python, JSON, JSONL, TOML, and YAML.
  • ๐Ÿ“Š Real-time Observability: Direct logging to MCP client UI and persistent rotating audit logs.

๐Ÿ—๏ธ Architecture

flowchart TD
    Client["MCP Client (Claude / Cursor)"] -- "stdio (JSON-RPC)" --> FastMCP["FastMCP Server"]

    subgraph Sandbox ["Docker Sandbox Container (mcpuser)"]
        direction TB
        
        FastMCP -. "Intercepts accidental prints" .-> StdioGuard["StdoutRedirector"]
        FastMCP -. "Application Logs" .-> Logger["Dual Logger (stderr & .mcp/server.log)"]
        
        FastMCP -- "Tool Calls" --> SecurityGuard["Security & Path Validator"]
        
        subgraph Toolset ["Tool Modules"]
            direction TB
            SecurityGuard --> FSTools["Filesystem (read, write, list, search)"]
            SecurityGuard --> EditTools["Editing (search_and_replace)"]
            SecurityGuard --> ExecTools["Execution (run_bash)"]
        end

        EditTools -- "AST Verification" --> Validator["Syntax Validations (Python, JSON, JSONL, TOML, YAML)"]
        ExecTools -- "Process Group (Timeout=60s)" --> Shell["/bin/sh Subprocess"]
        Shell -- "Package Mgt & Checks" --> UV["uv Environment / Ruff"]
        
        FSTools -- "Secure I/O" --> Workspace["/workspace Directory"]
        EditTools -- "Atomic Writes" --> Workspace
        Shell -- "Executes within" --> Workspace
    end

    Workspace <--"Volume Mount"--> HostFS["User Host Filesystem"]

๐Ÿ› ๏ธ Tool Reference

ToolDescription
read_fileRead text files with optional offset and limit (default: 100 lines).
write_fileCreate files with syntax validation and a 5MB size guard. Refuses to overwrite existing files by default (create_only=True).
list_directoryList contents with [F]ile and [D]irectory prefixes.
search_workspaceFind files by glob pattern with support for exclude_patterns.
run_bashExecute shell commands in /workspace with a 60s timeout. Automatically optimized via RTK to reduce token usage.
search_and_replaceMulti-edit tool with fuzzy whitespace matching, indentation preservation, dry-run mode, and syntax validation (Python, JSON, JSONL, TOML, YAML).

๐Ÿ›ก๏ธ Security & Architecture Model

This server employs a defense-in-depth strategy, explicitly separating strict security boundaries from developer experience and operational reliability features.

๐Ÿ”’ Core Security Features

These features are designed to protect the host system and enforce strict isolation boundaries.

  • Kernel Hardening: All Linux capabilities are dropped (--cap-drop=ALL), neutralizing privilege escalation vectors.
  • Immutable Server Code: The /app directory containing the server source and its virtual environment is owned by root and read-only for the mcpuser. This prevents the server from modifying itself or being tampered with via run_bash.
  • Privilege Lockdown: Enforces no-new-privileges:true to prevent any process from gaining elevated rights.
  • Immutable System Core: The container's root filesystem is mounted entirely read-only, providing a second layer of defense against OS-level tampering.
  • Resource Quotas: Hard limitations on CPU, Memory, and PIDs mitigate denial-of-service (DoS) attempts like fork-bombs and host exhaustion.
  • Strict Boundary Enforcement: A robust path validator comprehensively blocks all path traversal attacks outside the designated /workspace.
  • Process & Resource Control: Mandatory command timeouts (default 60s) and strict process group isolation ensure runaway or malicious processes are killed.
  • Memory-Overload Protection: Hard limits on file reads (1MB) and command outputs (50KB) prevent memory exhaustion.
  • Information Leakage Prevention: Internal stack traces and system paths are suppressed and sanitized from tool outputs.

๐Ÿ› ๏ธ Developer Experience & Convenience

Features focused on seamless integration, usability, and reducing friction during agentic workflows.

  • Host-Aligned Non-Root Identity: Runs as mcpuser with UID/GID customizable at build time, eliminating tedious file permission conflicts on host volume mounts.
  • Automatic Token Optimization: Shell commands executed via run_bash are transparently rewritten through RTK to provide ultra-compact, LLM-friendly output without altering underlying command behavior.
  • Intelligent Search Exclusions: High-noise or sensitive directories (.git, .venv) are automatically ignored to keep context windows lean and relevant.
  • Ephemeral Workspaces: Containers are strictly ephemeral (--rm), guaranteeing a clean, predictable slate for every new session without state leaking across connections.
  • Standardized Discovery: Complies with the OCI Image Specification for standardized container ecosystem integration and transparent auditing.

โš™๏ธ Reliability & Safety Mechanisms

Features ensuring the structural integrity of the workspace and providing observability.

  • Pre-Write Syntax Validation: Both write_file and search_and_replace perform in-memory syntax validation for Python, JSON, JSONL, TOML, and YAML before persisting changes, preventing broken code states.
  • Fail-Safe Writing: write_file blocks accidental overwrites of existing files by default and enforces a 5MB size guard to prevent workspace flooding.
  • Atomic File Operations: Edits utilize temp-and-move logic to guarantee file integrity and prevent corruption, even during unexpected interruptions or crashes.
  • Transparent Observability: All tool invocations and state changes are streamed in real-time to the MCP client UI for immediate operator oversight.

๐ŸŒ Network Isolation (Optional)

By default, the container has full network access via Docker's bridge network. For maximum isolation, you can completely disable the network stack using --network none:

docker run -i --rm --init \
  --network none \
  --memory=2g --cpus=2.0 --pids-limit=256 \
  --cap-drop=ALL --security-opt=no-new-privileges:true \
  --read-only \
  --tmpfs /tmp:size=64m \
  --tmpfs /home/mcpuser/.cache:size=512m \
  --user 1000:1000 \
  -v /path/to/your/projects:/workspace \
  ghcr.io/hrrodan/agent-workspace-mcp:latest

This creates a fully air-gapped sandbox โ€” only the loopback interface exists inside the container. All outbound connections (curl, DNS, uv add, etc.) will fail immediately, eliminating data exfiltration and lateral movement risks entirely.

[!NOTE] With --network none, the agent cannot install packages at runtime. All dependencies must be pre-installed in a custom image or pre-populated in the mounted workspace volume.


๐Ÿค Contributing

  1. Install Dev Dependencies: uv sync
  2. Run Linting: uv run ruff check .
  3. Run Unit Tests: uv run pytest tests/ --ignore=tests/integration/
  4. Run Integration Tests: Set OPENROUTER_API_KEY and run uv run pytest tests/integration/

ยฉ 2026 HrRodan. Licensed under MIT.